Move hoped to spark wider adoption of vulnerability disclosure policies among Swiss organizations
Swiss Post has released the legal wording of the safe harbor policy for its bug bounty program under a Creative Commons license.
It’s hoped that the move may result in implementation of vulnerability disclosure policies (VDPs) among notoriously conservative Swiss organizations.
Swiss Post is the national postal service of Switzerland. The state-owned organization is also responsible for overseeing the country’s online voting (e-voting) system.
Regular readers of The Daily Swig will be well aware of the controversy that emerged following the launch of Swiss Post’s bug bounty program last year.
But with the dust now settled on the saga, Swiss Post announced it has released the legal definition of its safe harbor clause under a Creative Commons license.
It came after security consultant and co-lead of the ModSecurity OWASP Core Rule Set project Christian Folini approached the organization to consider making the change.
Folini told The Daily Swig: “The [safe harbor] wording was developed for the Swiss Post online voting bug bounty that ran under the name Public Intrusion Test in early 2019.
“It drew a lot of attention internationally and also lead to a lot of bad press for the source code of the system, even if the productive systems could not be penetrated.
“It took a while for Swiss Post to commit to the idea of bug bounties again, and we wanted to make sure the timing was right before we approached them and asked them to release the wording as a Creative Commons document.”
Port in a storm
Safe harbor clauses are frequently added to bug bounty or VDPs as a means of allowing security researchers and ethical hackers to test systems and networks without fear of legal reprimand.
Swiss Post’s decision to release its own safe harbor policy under a Creative Commons license effectively allows other organizations to use this wording as a blueprint for their own bug bounty or VDP.
“Big corporations do not regularly engage in releasing their texts as Creative Commons,” Folini said. “We have been very pleased with their approval.”
Switzerland has stringent laws that make it an offense to circumvent security measures, Folini explained.
“A port scan seems to be OK,” he said. “Anything else is not.”
This ultimately means that bug bounty programs and VDPs are rare – and even if they are available, security researchers are limited in what they can do.
Folini hopes that Swiss Post’s decision to open up its safe harbor policy under a Creative Commons license will spark change for other organizations in Switzerland.
He said: “The criminal law [needs to be] updated to acknowledge the role of ethical hackers and bug bounty hunters. But this is likely to take a lot of time. In the meantime, this legal safe harbor is a temporary remedy for a pressing problem.”
A spokesperson for Swiss Post told The Daily Swig: “We are now expanding this [bug bounty] programme further with the aim of soon running a public programme with a limited scope.
“Thanks also to the commitment of Swiss Post, the issue of bug bounty is slowly making its way into Switzerland.”
They added: “Good security results from the interaction between customers, Swiss Post and partners. A common understanding is therefore crucial.
“Security is an ongoing process and Swiss Post wants to benefit from the collective intelligence of a global community of ethical hackers and compete with the best in the world – for this it needs a Legal Safe Harbor.”